FunFact .cry File Virus (Restore Encrypted Files) - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

FunFact .cry File Virus (Restore Encrypted Files)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article will help you to remove FunFact ransomware using the .cry file extension. It will also help you try and restore some of the .cry encrypted files.

A ransomware virus has appeared out in the wild, encrypting archives, pictures, Microsoft office documents and other important files. The virus is dubbed FunFact and has a note.ini ransom note which it opens after encrypting the files. In the ransom notes, clear demands are made by the cyber-criminals to pay a requested amount in around 1.6 BitCoin in a 7-day deadline. In case you have become a victim of this ransomware virus, advises are to focus on removing it immediately and trying to restore files encrypted via RSA and AES ciphers by FunFact.

Threat Summary

Name

FunFact

TypeRansomware
Short DescriptionThe malware encrypts users files using a combination of the AES and RSA encryption algorithms.
SymptomsThe user may see a ransom note named note.ini asking to pay in BTC to an address. Files may be encrypted with the .cry file extension.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by FunFact

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss FunFact.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FunFact Ranosmware – How Does It Infect Users

FunFact is no different than any other ransomware virus. It could be spread via e-mail spam and the spam may contain malicious attachments which have:

  • Exploit kits embedded.
  • Malicious JavaScript or .js types of files.
  • Files that are legitimate .doc, .docx, xls or .pdf format, containing malicious macros.

To cause an infection, the criminals may make it seem as if the spammed messages are sent out as if they are legitimate messages from well-known companies or organizations.

Once they open the e-mail attachment and become infected by the malware, the virus may establish contact with multiple domains and addresses:

  • 23.239.26.248:80 (to get your IP address)
  • ocsp.usertrust.com
  • ocsp.comodoca.com
  • crl.comodoca.com

After this has been done, the payload of FunFact ransomware may be downloaded. It consists of the following files:

Word.D.exe
note.ini
clsign.dll
trc.dll
tst.tst
rar.exe
wallet.jpg
%TEMP%\{random A-Z 0-9}.tmp
%LOCALAPPDATA%\ow\Microsoft\CryptnetUrlCache\MetaData\

FunFact Ranosmware – Post-Infection and Encryption

Besides obtaining the IP address of the infected computer, the FunFact virus may begin to scan for various files to encrypt. Amongst the encrypted files by this virus may be the following file types:

.7z, .ace, .arj,. bz2, .cab, .gz, .jpeg, .jpg, .lha, .lzh, .mp3, .rar, .taz, .tgz, .z, .zip, .xls, .docx, .doc, .xml

The encrypted files may be encoded with the Advanced Encryption Algorithm (AES) and for the encryption key, an algorithm called RSA may be used. The files are reported to possibly have the .cry file extension added to them. They may appear like the following:

After encryption, the FunFact ransomware adds it’s distinctive note.ini ransom note and automatically opens it. The note has the following message for the victim:

Remove FunFact Ransomware and Try Restoring Your Files

In order to remove this ransomware virus completely from your computer, it is strongly recommended to follow our removal instructions posted down below. They are specifically designed to perform effective removal by either manually look for the files or automatically taking care of them via an advanced anti-malware tool (recommended).

After having already removed FunFact ransomware from your computer, it is strongly recommended to focus on restoring your data via some of the alternative methods which we have mentioned below in step “2. Restore files encrypted by FunFact”. These methods may not work on 100 percent but they may also restore some of your files, it really depends on the situation.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...